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IN THE UNITED STATES PATENT AND TRADEMARK OFFICE 



In re Application of: 
Erik KNUDSEN 

IA No.: .PCT/FR00/01979 
IA Filed: 07 July 2000 

U.S. App . No . : 

(Not Yet Assigned) 

National Filing Date: 

(Not Yet Received) 

For: COMPUTING METHOD... 



Art Unit: 



Washington, D.C 



March 9, 2001 



Docket No.: KNUDSEN 2 



PRELIMINARY AMENDMENT 



Honorable Commissioner for Patents and Trademarks 
Washington, D.C. 20231 

Sir : 

Contemporaneous with the filing of this case and 
prior to calculation of the filing fee, kindly amend as 
follows : 

IN THE SPECIFICATION 

After the title please insert the following 

paragraph : 

REFERENCE TO RELATED APPLICATIONS 

The present application is the national stage under 
35 U.S.C. §371 of international application PCT/FR00/01979, 
filed 07 July 2000 which designated the United States, and 
which application was not published in the English language. — 



In re of: Erik KNUDSEN (KNUDSEN 2) 



IN THE CLAIMS 

6, A method according to claim 1, characterized in 
that it is a protocol for constructing a common key from two 
secret keys respectively belonging to the aforementioned two 
entities and a public key consisting of a point P of odd order 
of a chosen non-supersingular elliptic curve E. 



8. A method according to claim 1, characterized in 
that it is a signature protocol between two entities based on 
a pair of permanent keys belonging to the one of the entities, 
one secret (a) and the other public (Q) , resulting from the 
scalar multiplication of the secret key (a) by another public 
key consisting of a point (P) of odd order r of a chosen non- 
supersingular elliptic curve (E) . 



10. A method according to claim 7 , characterized in 
that scalar multiplication using halvings is obtained by the 
following operations : 

- if said scalar of the multiplication is denoted S, 
choose m+1 values So... Sm e {0,1} to define S as follows: 



1=0 



V 



r + l V 

2 J 



being the aforementioned odd order and m being the 
single integer between log 2 (r) - 1 and log 2 (r), 

calculate the scalar multiplication [S]P of a point 

P of said elliptic curve by the scalar S by applying an 

algorithm consisting of determining the series of points (Q m+ i, 

Q m ..., Qi..., Q 0 ) of said elliptic curve E such that: 

Qm+i = O (neutral element) 

1 



Qi = [Si]P + 



L2j 



Qi + i with o < i < m 



calculate the last point Q Q of said series giving the 
result [S]P of said scalar multiplication. 



In re of: 



Erik KNUDSEN (KNUDSEN 2) 



REMARKS 



The above amendment to the specification is being 



made to insert reference to the PCT application of which the 
present case is a U.S. national stage. The above amendments 
to the claims are being made in order to eliminate any 
properly multiply dependent claims, for the purpose of 
reducing the filing fee. Please enter this amendment prior to 
calculation of the filing fee in this case. 



Favorable consideration is earnestly solicited. 



Respectfully submitted, 
BROWDY AND NEIMARK, P.L.L.C. 
Attorneys for Applicant 



JMF: wrd 

Telephone No.: (202) 628-5197 
Facsimile No. : (202) 737-3528 




In re of: Erik KNUDSEN (KNUDSEN 2) 



"VERSION WITH MARKINGS TO SHOW CHANGES MADE" 

6. A method according tO""-eny"---pr-ee^di-n-g-----ei-a-i-Hb claim 1, 
characterized in that it is a protocol for constructing a 
common key from two secret keys respectively belonging to the 
aforementioned two entities and a public key consisting of a 
point P of odd order r of a chosen non-supersingular elliptic 
curve E . 



8 . A method according t o —a-B-y--e-f --e-la-im-S"-l---te---S claim 
1,, characterized in that it is a signature protocol between 
two entities based on a pair of permanent keys belonging to 
the one of the entities , one secret (a) and the other public 
(Q) , resulting from the scalar multiplication of the secret 
key (a) by another public key consisting of a point (P) of odd 
order r of a chosen non-supersingular elliptic curve (E) . 



10. A method according to claim 7 claim 9> 

characterized in that scalar multiplication using halvings is 
obtained by the following operations: 

- if said scalar of the' multiplication is denoted S, 
choose m+1 values So... Sm e {0,1} to define S as follows: 

( r + 1 V 



i= 0 



V 2 



J 



r being the aforementioned odd order and m being the 
single integer between log 2 (r) - 1 and log2(r), 

calculate the scalar multiplication [S]P of a point P of 

said elliptic curve by the scalar S by applying an algorithm 

consisting of determining the series of points (Q m +i/ Q m «-/ Qi-»/ 

Q 0 ) of said elliptic curve E such that: 

Qm+i = O (neutral element) 

1 



Qi = [Si]P + 



Qi + i with o < i < m 



calculate the last point Q Q of said series giving the result 



[S]P of said scalar multiplication. 
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CaXQ3^La±.ian m ethod f or ellipt ic curv e cjrryp to gr aphy 

The invention relates to a cryptographic method 
employed between two entities exchanging information over 
a non-secure communication channel, for example a cable 
or radio network, the method assuring the confidentiality 
5 and the integrity of information transfer between the two 
entities. The invention relates more particularly to an 
improvement to cryptosystems employing calculations on an 
elliptic curve. The improve mainly reduces the 
P calculation time. 

^ 10 The Dif f ie-Hellmann key exchange cryptographic 

Oj protocol is used to exchange keys securely between two 

1*1 entities. Using it entails employing a group in the 

yl mathematical sense of the term. A group that can be used 

■ |5 is constituted by an elliptic curve of the following 

i K % 15 type: 

I ]H y 2 + xy = x J + ax 2 +[3 

]lt It is known that if P = (x,y) is on the elliptic 

p curve E, it is possible to define a "product" or "scalar 

p " multiplication" of the point P of E by an integer m. This 

20 operation is defined as follows: 

[m] P = P + P + P + P (m times) 

Doubling a chosen point P on this kind of elliptic 
curve in a Dif f ie-Hellmann key exchange algorithm is 
known in the art. This operation is known as "point 
25 doubling" and is part of an iterative double-and-add 
process. Any such doubling takes time. 

The slowest part of the Dif f ie-Hellman key exchange 
protocol is multiplying an unknown point on the curve by 
a random scalar. Only elliptic curves defined on a body 
30 of characteristic-two are considered here; this is a 
widely adopted implementation choice, because addition 
within a body of this kind corresponds to the "exclusive- 
or" operation. 
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It is known in the art that multiplication by a 
scalar can be accelerated for curves defined on a body of 
low cardinality by using the Frobenius morphism. The 
curves can be chosen so that none of the known attacks 
applies to them. However, it is obviously preferable, at 
least in principle, to be able to choose the curve to be 
used from a class of curves that is as general as 
possible. The fastest version of the method in accordance 
with the invention is applied to half the elliptic 
curves. Moreover, from a cryptographic point of view, 
that half is the best half. Before the theory of the 
method is described, the basic concepts are reviewed. 

For simplicity, consider the elliptic curve (E) 
that can be represented geometrically and is defined for 
the set R of real numbers by the equation y 2 + y = x' - x J 
shown in figure 1, in which figure a horizontal line 
represents an integer number m, a vertical line 
represents an integer number n and each intersection of 
horizontal and vertical lines represents the integer 
coordinate pair (m, n) . 

(E) passes through a finite number of points with 
integer coordinates and any secant at (E) originating 
from any such point intersects (E) at two points, which 
may be coincident (in the case of tangents to the curve) . 

The addition operation applied to any two of these 
points A and B is defined as follows: let Bi be the point 
at which the straight line segment (AB) intersects (E) ; 
the vertical through Bi intersects (E) at C = A + B. 

In the special case where (AB T ) is tangential to 
(E), C is the required sum. 

The "intersection of all verticals" point O is 
referred to as the point at infinity of (E) and is the 
neutral element of the addition defined in this way 
since, by applying the geometrical construction which 
defines the addition: 
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A+O = O+A - A 

The doubling of A, which is denoted [2]A and 
defined as: A + A, is therefore the point B T , the 
straight line segment (Ax) being tangential to (E) at A. 

By applying the addition of A construction to the 
point B r , the point [3]A is obtained, and so on: this is 
the definition of the product [n]A of a point by an 
integer . 

The present invention in fact relates to a family 

of elliptic curves which cannot be represented 

geometrically but are defined as follows: 

Let n be a given integer, F r , the body of 2 n 

elements, and F 2n its algebraic closure. Let 0 be the 

point at infinity. The non-supersingular elliptic curve E 
defined at F v , is: 

E = { (x, y) e F 2H X F 2 „ |y' + xy = x' + ax + (3} vj {0} a, p e F \ P 0 

The elements of E are usually referred to as 
"points". It is well known in the art that E can be given 
an abelian group structure by taking the point at 
infinity as a neutral element. Hereinafter, the finite 
subgroup of rational points of E is considered, and is 
defined by: 

E(F 2 „ ) = {(x,y)e F 2 „ X F 2 „ ly + xy = x" + ox' + P) \j {0} a, p e F fW 0 

where N is the set of natural integers; for all m e N, 

the "multiplication by m" application in E is defined by: 
[m] : E —>E 

P->P + + P (m times) and VPeE:[o]P = 0 

E[m] is the kernel of the application. The 
points of the group E [m] are called the m-torsion points 
of E. The group structure of the m-torsion points is well 
known in the art. 

In the situation in which m is a power of 2: 

VkeN:E[2 k ] = Z/2"Z 

where Z is the set of relative integers. 
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Because E(F W ) is a finite sub-group of E, there 
exists k' > 1 such that E[2'"] is contained in E ( F, B ) if 

and only if k < k'. For the elliptic curves E for which 
k'=l, the structure of E ( F,„ ) is: 

E(F 2 „ ) = G x {O, T 2 } 

where G is an odd order group and T 2 designates the unique 

second order point of E. A curve of this kind is said to 

have a minimal two-torsion. 

It is now possible to explain the object of the 

invention. Doubling is not injective when it is defined 
on E or E ( F n11 ) , because its kernel is: E[2] = { O, T 2 }. 

Moreover, if the domain for defining doubling is 
reduced to an odd order sub-group G <r E ( F r , ) doubling 

becomes bi j ect ive . 

As a result doubling allows an inverse application 
to the sub-group that is referred to hereinafter as 
halving : 

[1/2]: G-*G 

P->Q such that: [2] Q = P 

[1/2] P is the point of G to which the doubling 
application makes the point P correspond. 
For all k>l: 



' 1 " 




V 




']' 




1 








O 




o o 




2 k 




2 




2 




_2_ 



represents k compositions of the halving 
application with itself. 

Generally speaking, the invention therefore 
provides a cryptographic method employed between two 
entities exchanging information via a non-secure 
communication channel, the method including a step of 
multiplying an odd order point of a non-supersingular 
elliptic curve by an integer, characterized in that, for 
exchanging information via the non-secure communication 
channel, the above step includes addition and halving of 
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points of said elliptic curve, the addition of points is 
an operation known in the art, the halving of a point P 
is defined as the unique odd order point D such that [ 2 ] D 



the point D. 

The halving application is beneficial for the 
scalar multiplication of a point on an elliptic curve for 
the following reason: if affine coordinates are used, it 
is possible to replace all doublings of a point of a 
scalar multiplication by halvings of a point. 

The halving of a point is much faster to calculate 

that its doubling. From a cryptographic point of view it 

is good to be able to choose from the greatest possible 

number of curves and a curve is usually used for which 
the two-torsion of E ( F H ) is minimal or isomorphic to 

Z/4Z. For a given curve F, B the minimal two-torsion 

elliptic curves constitute exactly half of the set of 
elliptic curves defined on F v , . This is why, although it 

is not totally general, the fastest version of the method 
described applies to a good proportion of the curves in 
interest in cryptography. It can also be applied when the 
elements of the body are represented in a normal basis. 
In the case of a polynomial basis, the memory space 
required is of the order of 0(n 2 ) bits. 

Some examples are given hereinafter, with reference 
to the accompanying drawings, in which: 

- figure 1 is a graph showing a very particular 
elliptic curve that can be represented geometrically and 
is used hereinafter to explain elementary operations 
employed in the context of the invention; 

- figure 2 is a diagram showing exchanges of 
information in accordance with the invention between two 
entities ; 



= P, 



2 




P denotes 
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- figures 3 to 6 are flowcharts explaining some 
applications conforming to the invention; and 

- figure 7 is a block diagram of another system for 
exchanging information between two entities A and B which 
can employ a cryptographic method according to Lhe 
invention . 

We will show how to calculate [1/2] P e G from 
P e G. We will then show how to replace the doublings of 
points by halvings to execute a multiplication by a 
scalar . 

We will use the usual affine representation of a 
point: P=(x,y) and the representation: (x f X ) with 

X p =x+y/x. 

We derive y = x (x + X ) , which uses only one 

multiplication, from the second representation. 

By proceeding in this way, to multiply a poin~ by a 

scalar, we save on multiplications by calculating 
intermediate results using the representation (x, X ) and 

the coordinate of the affine representation is determined 
only at the end of the calculation. 

A point P is halved in the following manner: 
Calculate [1/2] P from P. For this consider the two 
points of E: 

P = (x, y) = (x, x (x + X p )) 

and Q = (u,v) = (u, u (u + X Q ) ) 
such that: [2]Q = P 

The formulas for doubling known in the art yield: 
X Q = u + v/u (1) 
x-A Q 2 +A Q + a (2) 
y = (x+u) X Q + x + v (3) 
Multiplying (1) by u and inserting the value of v 
obtained in this way in (3), the above system becomes: 

v = u (u + X Q ) 
X q 2 + X Q = a + x 
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5 



10 



15 



20 



25 



30 



y = (x + u) /Lq+x + u" + uAq = u*" + x (/L 0 + 1) 
or, since y = x (x + X ) : 



Q 



+ An = a + X 



(i) 



u 2 - (x (A Q +1) + y = [X Q + X p + x + 1) (ii) 

v = u ( u + A o ) (iii) 
Starting from P = (x,y) = (x, x (x + X ) ) in affine 

coordinates or in the (x, X ) representation, the above 

system of equations determines the following two types: 

[1/2] P eG and [l[/2] P + T 2 e E ( F, H ) \ G 

which give P by doubling. The following property enables 

it to be distinguished. 

Let E be a minimal two-torsion elliptic curve and 
P e E ( F „ ) = G x {O, T 2 } one of its odd order elements. 

Let Q e{[l/2j P, [1/2] P+ T 2 } and let Q 1 be one of the two 

points of E such that [2}Q- ± = Q. 

We have the necessary and sufficient condition: 
Q + [1/2]P<=>Q! e E( F,,, ) (a) 

We deduce from this that it is possible to check if 

Q = [1/2] P by applying the formulas (i), (ii) and (iii) 

to Q and verifying if one of the points obtained belongs 
to E{ F 2 „ ) . 

We can extend this process to an elliptic curve 
E ( F r ) = G x E [2'] that is arbitrary by applying the 

formulas (i), (ii) and (iii) k times: the first time to 
Q, to obtain a point Qi such that [2] Q 1 = Q; the ith time 
to Qi-i to obtain a point Q a such that [2] Q L = Qx-i. The 
resultant point Qk will be of the form: 



] 



k + i 



P + T, kll if and only if Q = [1/2] P + T-> and will be of 



the form: 
1 



k + i 



P+T,, with 0 < i < k if and only if Q - [1/2] P. We 



therefore have the necessary and sufficient condition: 

Q = [1/2] P o Q K e E(F,„ ) 
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This process is evidently lengthy if k is large. 

The above equation (a) shows that we can determine 

whether Q = [1/2] P or Q = [1/2] P + T 2 by examining if the 
coordinates of Qj belong to or to a super-body of l\„ . 

As Qi is determined by the equations (i), (ii) and (iii), 

we have to study the operations used in solving these 

equations, which are not internal to the body but have 
their result on a super-body of F V1 . The only possible 

instance is that of solving the second degree equation 
(i): we must also calculate a square root to calculate 
the first coordinate of Qi, but in characteristic-two 
finding the square root is an operation internal to the 
body. Thus: 

Q = (u, v) = [1/2] P <=> 3A e F,., : A 2 + A = a + u 

Because finding the square root is internal to the 
body, this necessary and sufficient condition can also be 
wrirten : 

Q - (u, v) = [1/2] P <=> 3A e F, H : A 2 + A = cr + u" 

The preceding relation is used to optimize the 
algorithm referred to below in instances where the square 
root calculation time is not negligible. 

For P eG, the two solutions of (i) are A[i/- ]P and 
A [i/2] p "f* 1 and we deduce from (ii) that the firsr 
coordinates of the associated points are u and (u + ) . 
We can therefore deduce an algorithm for calculating 
[1/2] P in the following manner: 

If F r is a finite body of 2 n elements, E ( F,„ ) is 

the sub-group of an elliptic curve E defined by: 

E(F,„) = {(x,y)e F, B X F 2 „ I y 2 + xy = x 3 + ax 2 + p } (J { 0 } a, 

P e F,, , P * 0, 

and E[2 y ] is the set of points P of said elliptic curve 
such that P added 2 }: times to itself gives the neutral 
element O when k is an integer greater than or equal to 1 
then a point P = (x,y) of said elliptic curve yields by 
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said halving the point 



2 



P = (u 0/ v 0 ) of said elliptic 



curve, obtained by effecting the following operations 
illustrated by the figure 3 flowchart: 

• seek a first value A 0 such that A, 0 2 + X 0 = a + x 

• calculate a second value u 0 ~ such that u D 2 = x (X a + 1) 

+ y 

• if k has the value 1, check if the equation: X ~ + a - 
a" + u 0 2 has solutions in F v , , 

• if so, calculate said halving as follows: 



and 



V 0 " U 0 (U 0 + X 0 ) 
1 

P = (u 0 , v 0 ) 



• if not, add x to said second value u 0 2 and 1 to said 
first value X a to calculate said halving as in the 
preceding operation ; 

• if k is greater than 1, perform the following iterative 
calculat ion : 

seek a value A L such thatli 2 + X± = a + u±-i 

then calculate the value u 2 i such that u 2 ! = u 1 _ i {X x + X r -i 

+ U x -i +1) 

by incrementing i from i=l until the value Ut-i 2 is 
obtained 

• check whether the equation X 2 + X = a 2 + u 2 i_ f has 
solutions in F. 



if so, calculate said halving is as follows: 



v 0 = u 0 (u 0 + X 0 ) 



and 



1 



P = (U 0 , V 0 ) 



• if not, add x to the second value u G 2 and 1 to said 
first value X 0 to calculate said halving as in the 
preceding operation . 
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If we choose to represent the point 



? 



P = (u iw v fl ) 



of the elliptic curve by (u Q , X 0 ) with X 0 = u 0 + v o /u 0 , then 
the algorithm conforms to the figure 4 flow chart: 

• seek a first value X 0 such that X 0 ~ + X 0 = a + x 

• calculate a second value u Q 2 such that u D 2 = x (X n + ]) + 

Yr 



if k has the value 1, check if the equation: X 2 + A. 0 
or + u'„ has solutions in F 7 „ , 

if so, calculate said halving as follows: 

1 



u 



and : 



2 



P = (Uo, X 0 ) 



• if not, add x to said second value u 0 " and 1 to said 
first value X 0 to calculate said halving as in the 
preceding operation ; 

• if k is greater than 1 perform the following an 
iterative calculation : 

seek a value A ± such that k c + Xi = a + Uj.-i 
then calculate the value Ui~ such that u : / = u : _i (X t 
+ A^-i + u^ x + 1) 

incrementing i from i = l until the value u 2 k -i is obtained 

• check if the equation X 2 + X, = a 2 + u 2 y~i has solutions 



in F. 



if so, calculate said halving as well as follows: 
u< 



1 



and 



P = (u 0 , X 0 ) 



• if not, add x to said second value u 0 2 and 1 to said 
first value X 0 to calculate said halving as in the 
preceding operation . 

If we choose to represent the point P = (x,y) by 

(x, A p ) setting X p = x+y/x which gives by said halving 
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the point 



? 



P = (u 0 ,v 0 ) of said elliptic curve, then the 



algorithm conforms to the figure 5 flow chart: 

• seek a first value >l 0 such that X^ + X 0 = a + x 

• calculate a second value u</* such that u Q 2 = x (X n + X t) + 



x + 1) 

if k has the value 1, check if the equation 
a 2 + u 0 2 has solutions in F ?)1 , 

if so, calculate said halving as follows: 
u 0 



A 



+ X = 



V 0 = U c (U 0 + X Q ) 
1 



and : 



P = (u 0/ v 0 ) 



• if not, add x to said second value u n ~ and 1 to said 
first value X a to calculate said halving as in the 
preceding operation; 

• if k is greater than 1 perform the following an 
iterative calculation : 

seek a value X x such that X x + X x = a + Ui-i 
then calculate the value u 2 x such that u 2 1 = Ui-j (X x 
+ X^ x + ui-i + 1) 

incrementing i from i=l until the value u 2 j : -i is obtained 

• check if the equation X 2 + X = a z + u 2 } : -i has solutions 
in F, n 

• if so, calculate said halving as well as follows: 

v 0 = u 0 (u 0 + X 0 ) 



and 



]_ 
9 



P = (u 0 , v 0 ) 



• if not, add x to said second value u 0 ~ and 1 to said 
first value X 0 to calculate said halving as in the 
preceding operation . 

Finally, if we choose to represent the point P= 
(x,y) by (x, X p ) with 
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X p = x + y/x which gives by said halving the point 



9 



P = 



(u 0 , v 0 ) of the elliptic curve represented by (u n , X n ) with 
A. 0 = u u + v 0 /uo then the algorithm conforms to the figure 6 
algorithm: 

• seek a first value /l 0 such that X ( -T + A, 0 = a + x 

• calculate a second value u 0 2 such that u 0 2 = x (X n + X v + 
x + 1) , 

• if k has the value 1 check if the equation X 2 +X = a' 
+ u G has solutions in F,„ , 

• if so, calculate said halving as follows: 

_j 

• if not, add x to said second value u n 2 and 1 to said 
first value A, tl to calculate said halving as in the 
preceding operation ; 

• if k is greater than 1 perform the following iterative 
calculation : 



and 



P = (u 0 , K) 



seek a value X x such that X± + X x = a + 



i 



then calculate the value u 2 x such that u x 2 = u^j {X^ 
+ X x . x + ui-i + 1) 

incrementing i from i=l until the value u 2 k _i is obtained 

• check if the equation X- 2 + X = a 2 + u 2 ^x has solutions 

in F r , 

• if so, calculate said halving as follows: 

Uo = V U o" 



and 



!_2_j 



P = (u 0 , X 0 ) 



• if not, add x to said second value u 0 ~ and 1 to said 
first value X 0 to calculate said halving as in the 
preceding operation . 

We next describe how to perform the check, solve 
the second degree equation and calculate the square root 
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in the algorithm for halving a point rapidly. We consider 

the normal basis and the polynomial basis. 

The normal basis results are known in the art. We 
can consider F v , as the n-dimensional vectorial space on 

F, . In a normal basis, an element of the body is 

represented by: 

l=C! 

where (3eF v , is chosen such that: jp,p 2 [3 2 } is a basis l\ t , . 

In a normal basis, the square root is calculated by a 

left circular shift and squaring is effected by a right 

circular shift. The corresponding calculation times are 

therefore negligible . 

If the second degree equation: X" + X = x has its 
solutions in F,„ , a solution is then given by: 

n-l _ i 

X = X^'P 2 ' with: = X Xl 1< i < n - 1 

1=1 k=i 

The time to calculate X is negligible compared to 

the time to calculate a multiplication of an inversion in 

the body. As the time to calculate a solution of the 

second degree equation is negligible, the check can be 

effected as follows: calculate a candidate X from x and 

check if X" + X = x. If not, the equation has no 
solution in F v , . 

In a polynomial basis, the following representation 
is used: 

M-l 

x = Xi X '^' W ^ til x i €{0,1}. The square root of x can be 

calculated by storing the element if we note that: 

- in a body of characteristic-two, the square root 
is a morphism of the body, 

V even ' a— M even ' 

Grouping in x the even and odd powers of T and 
taking the square root, this becomes: 
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j_ i - 1 

-J7 = X X < T ' + Z x ' r 2 

i even i tnld 

so that, to calculate a square root, it is sufficient to 

"reduce" two vectors by half and therefore to execute a 

multiplication of a previously calculated value by an 

5 element of length n/2. This is why the time to calculate 

a square root in a polynomial basis is equivalent to half 

the time to calculate a multiplication in the body. 

For the check and for solving the second degree 
equation, we consider F B as a n-dimensional vectorial 

3 10 space on F 2 . The application F defined as follows: 
•y f • F —> F 

L • 1 ill 7 1 ,11 

m x -> x 2 + x 

^ is then a linear kernel operator {0, 1} 

jfi For a given x, the equation X 2 + X = x has its 

, 15 solutions in F 2 „ if and only if the vector x is in the 

If: image of F. Im(F) is an (n - 1 ) -dimensional sub-space of 

ilj F,„ - For a given basis of F 2 „ and the corresponding scalar 

15 product there exists a single non-trivial vector 

\A orthogonal to all the vectors of Im(F). Let w be that 

20 vector. We have: 

3X e F ?ll : X 2 + X = x o x • w = 0 

Accordingly, the check can be performed by adding 
the components of x to which components of w equal to 1 
correspond. The time to perform this check is negligible. 
25 To solve the second degree equation: F {X) = \~ + X = 

x in a polynomial basis, we propose a simple and direct 
method which imposes the storage of an n x n matrix. For 
this we look for a linear operator G such that: 

Vx€lm(F):F(G(x))=(G(x)) 2 +G(x) = x 
30 Let y e F 1(1 be a vector such that y£lm(F) and define G as 

follows : 

G=F"' with f(T')= f 7 if : i= 0 

| F(T 3 ) if: l<i<n-l 
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Given that x = Y""x,F(7') e Im(F) then G(x) is a 

« / — I 

solution of the second degree equation. One 
implementation consists of precalculat ing the matrix 

representing G in the basis {1,T, , T 11 " 1 }. In 

characteristic-two, the multiplication of a matrix by a 
vector is reduced to adding columns of the matrix to 
which a component of the vector equal to 1 corresponds. 
It follows that this method of solving a second degree 
equation consumes on average n/2 additions in the body 



F. 



Application of the principles explained above to 
scalar multiplication is described below. 

Let Pe E(F }11 ) be a point of odd order r, c a random 

integer and m the integer part of log 2 (r) . We calculate 
the product [c]P of a point by a scalar using the 
application for halving a point. 
We show that : 

For any integer c, there is a rational number of the 



form: 



c, e {0j} 



/=f) Z 



such that : 



m c 



c = — (modr) 



„o2 

Let <P> be the cyclic group generated by P. Because of 
the ring isomorphism: 

P « Z/rZ 

[k]P -> k 

The scalar multiplication can be calculated as follows: 

c 



2 



[c]P = I 

1=0 

using halving and addition. We can use the double-and-add 
algorithm well known in the art for these calculations. 
For that it is sufficient to replace doubling by halving 
in the algorithm. It is necessary to execute log- (r) 
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halvings and, on average, 1/2 log, (r) additions. There 
are improved versions of the double-and-add algorithm 
which require only 1/3 log 2 (r) additions on average. 

Consequently, a scalar multiplication using a 
halving as defined above is obtained by means of the 
following operations: 

- if said scalar of the multiplication is denoted S, 
choose m+1 values 

So... Sm e {0,1} to define S as follows: 

f r + 1 V 
S = £ S, — — 

! = o V 2 ) 

- r being the aforementioned odd order and m being 
the single integer between log 2 (r) -1 and log 2 (r), 

calculate the scalar multiplication [S]P of a 
point P of said elliptic curve by the scalar S by 
applying an algorithm consisting of determining the 
series of points (Q m+1 , Qm ..., Qi _ Qo) of said elliptic 
curve E such that: 

Qm+i = 0 (neutral element) 

1 ' 

— Qi + i with o < i < m 

- calculate the last point Q c of said series giving 
the result [S] P of said scalar multiplication. 

To add the initial point P to an intermediate 



Qi = [Si]P + 



result Q- 



Q, , we use the following algorithm, which is 



a slightly modified version of the standard algorithm: 

Input: P = (x,y) in affine coordinates and Q = ( u , 
u(u + X, Q ) ) represented by (u, X Q ) 

Output: P + Q = ( S , t) in affine coordinates 
algorithm : 

1- Calculate: X = l^llhl 

X + u 

2. Calculate: s = X 2 + X + a + x + u 

3. Calculate: t = (s + x)X + s + y 
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4 . Result : ( s , t ) 

This algorithm uses one inversion, three 
multiplications and one square root. 

Much time is saved by replacing doubling by 
halving. In affine coordinates, doubling and addition 
both require: one inversion, two multiplications and a 
square root. If the scalar of the multiplication by a 
scalar is represented by a bit vector of length m and of 
k non-zero components, scalar multiplication requires: 



operation 


double and add 


halve and add 


invers ions 


m + k 


k 


multiplications 


2m + 2k 


m + 3k 


squarings 


m + k 


k 


solutions of 
X"+A,=a+x 


0 


m 


square roots 


0 


m 


checks 


o 


m 



Thus using halving saves m inversions, m-k 
multiplications and m squarings at the cost of adding m 
second degree solutions, m square roots and m checks. 

In a polynomial basis, an execution time 
improvement of around 50% can be obtained. 

In a normal basis, we estimate the time to 
calculate the square root, perform the check and solve 
the second degree equation negligible compared to the 
time to calculate a multiplication or an inversion. 
Assuming further that the time to calculate an inversion 
is equivalent to the time to calculate three 
multiplications, we arrive at an execution time 
improvement of 55%. 

Figure 2 is a diagram showing one possible 
application of the algorithms described above between two 
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entities A and B exchanging information over a non-secure 
communication channel. Said communication channel can 
consist of simple electrical connections established 
between the two entities for the time of a transaction. 
It can also include a radio and/or optical 
telecommunication network. In this instance the entity A 
is a microcircuit card and the entity B is a server. Once 
connected to each other via said communication channel, 
the two entities apply a common key construction 
protocol. For this purpose: 

- entity A has a secret key a 

- entity B has a secret key b 

They must generate a secret key x known only to 
them from a public key consisting of a point P of odd 
order r of a chosen non-supersingular elliptic curve E. 

The protocol employed is a Dif f ie-Hellman protocol, 
substituting for the usual "mult iplicat ion-by-two ,T 
referred to as doubling the operation in accordance with 
the invention described above and referred to as 
"halving" . 

The algorithm for this is as follows: 

- the first entity (for example A) calculates the 
scalar multiplication [a]P and sends the result point to 
the second entity, 

- the second entity (B) calculates the scalar 
multiplication [b]P and sends the result point to the 
first entity, 

- the two entities respectively calculate a common 
point (C) = (x,y) of said elliptic curve (E) by 
respectively effecting the scalar multiplications 
[a]([b]P) and [b]([a]P), both equal to [a.b]P, and 

- the two entities choose as their common key the 
coordinate x of said common point (C) obtained by said 
scalar multiplication [a.b]P, at least one of the 



1 
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preceding scalar multiplications, and preferably all of 
them, being effected by means of predefined halvings. 

To give a more precise example of this, figure 7 
shows a server B connected to a communication network 1 
5 via a communication interface 2, for example a modem 
interface. Similarly, a calculation station 3 is 
connected to the network 1 via a communication interface 
4. The station 3 is equipped with a microcircuit card 
reader 5 into which the microcircuit card A is inserted. 
10 The random access memory 6 of the server B contains 

a program 7 capable of executing cryptographic 
calculations on elliptic curves and in particular the 
product of a point by a scalar and the halving of a 
point . 

15 The card A contain a central processor unit 11, a 

random access memory (RAM) 8, a read-only memory (ROM) 9 
and an electrically erasable programmable read-only 
memory (EEPROM) 10. One of the memories 9 or 10 contains 
a program 12 capable of executing cryptographic 

20 calculations on elliptic curves and in particular the 
product of a point by a scalar and the halving of a 
point . 

The two programs 7 and 12 have a common reference 
consisting of the same elliptic curve (E) and the same 
25 point P=(xo, yo) of (E) . 

When A wishes to construct in parallel with B a 
common secret key for securing dialog with B, it chooses 
a scalar a and sends to B the product Q=[a]P=(xi, yi ) . In 
response to this, B chooses a scalar b'and sends back to 
30 A the product R=[b]P = (x 2 , y-) . 

A then calculates the product [a] R = [ab]P = 
(x, y) and B calculates the product [b] Q = [ab]P = 
(x, y) and A and B adopt x as a common secret key. 

These operations are represented in the table 
35 below. Those which are effected in the server B are 
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indicated in the right-hand column and those which are 
effected in the card A are indicated in the left-hand 
column. The horizontal arrows symbolize transfers of 
information via the network 1. 




P = (x 0 , y 0 ) P = (x 0 , y 0 ) 

choice a 

Q = [ajP = (xi, yi) ► 

choice b 

< r = [b ] P = ( X2/ y 2 ) 

[a]R = (x, y) [b] Q = (x,y) 

key - x key = x 



Another application of the invention applies 
between the two entities A and B in figure 7. It consists 
of a protocol for signing a message M transmitted between 
A and B via the non-secure channel, i.e. the network 1. 
The object of this protocol, the broad outlines of which 
are known in the art, is to make it certain that the 
message received by one entity was sent by the other 
entity . 

To this end, the sending entity (for example A) has 
two permanent keys, namely a secret key a and a public 
key Q = [a] P, P being a point on an elliptic curve (E) , 
and P and (E) being known to and agreed on by A and B. 
Another public key is the point P of odd order r of the 
chosen non-supersingular elliptic curve E. The operations 
effected entail halvings in the sense defined above. 

In one example: 

- the first entity (A) holding said pair of 
permanent keys constructs a single-use pair of keys, one 
key (g) chosen arbitrarily and the other key [g] p 
resulting from scalar multiplication of said arbitrarily 
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chosen key (g) by the public point P of said elliptic 
curve, the coordinates of the key ([g]P) being denoted 
(x,y) with 2 < g < r-2, 

- the first entity (A) converts the polynomial x of 
said single-use key [g]P = (x f y) into an integer i whose 
binary value is represented by the sequence of binary 
coefficients of said polynomial x, 

- said first entity (A) calculates a signature 
(c,d) of the message (M) as follows: 

c = i modulo r 

d = g -1 (M + ac) modulo r, 

- said first entity sends said message (M) and said 
signature (c, d) to said second entity; on receiving it: 

- said second entity (B) checks if the elements of 
said signature (c,d) each belong to the range [1, r-i], 

- if not, it declares the signature invalid and 

stops 

- if so, said second entity (B) calculates three 
parameters : 

h = d' 1 modulo r 
hi = Mh modulo r 
Y12 = ch modulo r 

- said second entity calculates a point T of said 
elliptic curve by summing the scalar multiplications of 
the points P and Q by the last two parameters cited: 

T = [h^ P + [h 2 ] Q 

if the resultant point T is the neutral element, 
said second entity declares the signature invalid and 
stops . 

if it is not the neutral element, considering the 
point T with coordinates x r and y ! : T = (x',y ! ): 

- said second entity (B) converts the polynomial x' 
of that point into an integer i' whose binary value is 
represented by the sequence of binary coefficients of 
said polynomial x', 
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- said second entity (B) calculates c 1 = i T modulo 
r, and: 

- checks that c T - c: if so it validates said 
signature and if not it invalidates it, at least one of 
the scalar multiplication operations and preferably all 
of them being effected by means of the predefined 
halvings . 

These operations can be represented by the table 
below in which the operations effected in the server B 
are indicated in the right-hand column and the operations 
effected in the card A are indicated in the left-hand 
column, the arrow between the two columns symbolizing the 
transfer of information via the network 1. 
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© 




B 



choice g 2< g < r-2 

[g] P = x, y 
x= ^x, t' -»i =£x,2' 

message M 

c= i mod r 

d= g" 1 (M+ac) mod r 

M, (c, d) * 1< c < r-i ? no 

yes 



error 
1< d < r-1 ? no 
yes 



I 

er ro 



h = 



d _i mod r 
hi= Mh mod r 
h 2 = ch mod r 

[hi] P + [h 2 ] Q = (x\ y') 



T = 



T - O ? 
no 



yes 



x 1 - 



Ex.t'-i'^x,* 

c T = i 1 mod r 
c * =c ? 



no 



yes 



GOOD 



T 

BAD 
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CLAIMS 



1. A cryptographic method employed between two 
entities exchanging information via a non-secure 
communication channel, the method including a step of 
multiplying an odd order point of a non-supersingula r 
elliptic curve by an integer, characterized in that, for 
exchanging information via the non-secure communication 
channel, the above step includes addition and halving of 
points of said elliptic curve, the addition of points is 
an operation known in the art, the halving of a point, P 
is defined as the unique odd order point D such that [2]D 

1 



= P, 



~ ) denotes the halving operation and 



P denotes 



the point D. 

2. A method according to claim 1, where F,„ is a 
finite body of 2 n elements, E { F ?11 ) is the sub-group of an 

elliptic curve E defined by: 

E(F'') = {(x,y)e F- n X \y + xy = x : + ox' + p} kj {0} a, p e F ", (3 * 0 
and E[2 k ] is the set of points P of said elliptic curve 
such that P added 2 K times to itself gives the neutral 
element 0, where k is an integer greater than or equal to 
1, characterized in that a point P = (x,y) of said 

rn 

elliptic curve gives by said halving the point — P = 

(u 0/ v 0 ) of said elliptic curve obtained by effecting the 
following operations: 

• seek a first value X 0 such that k 0 " + X 0 = a + x 

• calculate a second value u Q 2 such that u Q 2 = x (k 0 + 1) 

+ y 

• if k has the value 1, check if the equation: X 2 + I ^ 
a 2 + u 2 u has solutions in F 2 n , 

• if so, calculate said halving as follows: 

u 0 = 



0 
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v 0 = u 0 (u 0 + X 0 ) 



and 



2 



P = (u 0 , v 0 ) 



if not, add 



to said second value u 0 ^ and 1 to said 



m 



the 



first value X 0 to calculate said halving as 
preceding operation; 

• if k is greater than 1, perform an iterative 
calculation as follows: 

seek a value ki such that/li 2 + X ± = a + u L -i 

then calculate the value u^i such that u\ = u x -i [X x + A^-] 
+ u,-! +1) 

i from i=l until the 



by incrementing 
obtained 

• check whether the equation X 2 + X = 



value u">_[ is 



a* 



+ a 



V - J 



ha s 



solutions in F 2 n 

• if so, calculate said halving as follows: 

Uo 



and 



v 0 = u 0 (u 0 + X 0 ) 

P = (U 0 r V„) 



2 



• if not, add x to the second value u n " and 1 to said 
first value X 0 to calculate said halving as in the 
preceding operation . 

3. A method according to claim l f where F 2 n is a 
finite body of 2 n elements, E ( F? n ) is the sub-group of an 
elliptic curve E defined by: 

E{F n ) = {(x,y)e F- p X F^ H |y' + xy = x* + ax^ + (3} u {0} a, p e F", [3*0 
and E[2 } '] is the set of points P of said elliptic curve 
such that P added 2 k times to itself gives the neutral 
element 0, where k is an integer greater than or equal to 

1, characterized in that a point P = (x,y) of said 

"1 



elliptic curve gives by said halving the point 



? 



P = (u„, 



X 0 ) of said elliptic curve, 
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with A, 0 = u 0 + v 0 /u 0 , obtained by effecting the following 
operations : 

• seek a first value X 0 such that X a ^ + X 0 = a + x 

• calculate a second value u 0 ^ such that : u 0 " = x {X 0 + 1) 

+ y 

• if k has the value 1, check if the equation : X' +A 
= a 2 +\i 0 l has solutions in F?", 

• if so, calculate said halving as follows : 



1 

and 



P = (u 0 , K) 



2 

• if not, add x to said second value u 0 ^ and 1 to said 
first value X 0 to calculate said halving as in the 
preceding operation ; 

• if k is greater than 1, perform the following iterative 
calculation : 

seek a valued , such that /I ^ z + X 2 = a + u : -i 

then calculate the value such that u x 2 = u^i (X, + 

+ Ui-i +1) 

by incrementing i from i = 1 until the value u^_i is 
obtained 

• check if the equation X 2 + X = a 2 + u 2 K -i has solutions 
in F 2ll 

if so, calculate said halving as folows: 

V 

2 

• if not, add x to said second value u 0 z and 1 to said 
first value X 0 to calculate said halving as in the 
preceding operation . 

4. A method according to claim 1, where F^ n is a 
finite body of 2 n elements, E(F 2 n ) is the sub-group of an 
elliptic curve E defined by: 
E(F') = {(x,y)e F- n X iy 1 + xy = x + ax + P) u {0} a, p e F ', p * 0 



u 0 = A/u , " and 



P = (u 0 , X 0 ) 
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gives by said halving the point 



P = (u t ,f v 0 ) of said 



and E[2 k ] is the set of points P of said elliptic curve 

such that P added 2 y times to itself gives the neutral 

element O, where k is an integer greater than or equal to 

1, characterized in that a point P = (x,y) of said 

elliptic curve represented by (x,A, p ) with X p = x + y/x 

M 

elliptic curve obtained by effecting the following 
operations : 

• seek a first value X a such that X^ + X 0 = a + x 

10 • calculate a second value u 0 2 such that u c 2 = x (X 0 + X v + 
x + 1) 

• if k has the value 1, check if the equation: A 2 + A = 
a 2 + u 0 2 has solutions in F 2 n , 

• if so, calculate said halving as follows: 

15 u () = yu 0 " 

V 0 = U 0 (U 0 + A, 0 ) 
"I 



and : 



1 



P = (u 0 , v 0 ) 



• if not, add x to said second value u 0 2 and 1 to said 
first value X 0 to calculate said halving as in the 

20 preceding operation; 

• if k is greater than 1, perform the following iterative 
calculation : 

seek a value A ± such that A 2 + Xi = a + u 2 _i 
then calculate the value Ui 2 such that Ui 2 = Ui_i {Xi + 
25 + Ui- 3 + 1) 

incrementing i from i = l until the value u 2 k -i is obtained 

• check if the equation X 2 + X = a 2 + u 2 k -j has solutions 
in F 2 n 

• if so, calculate said halving as follows: 
30 u 0 = 7 U <> 2 

v 0 - u 0 (u 0 + X t) ) 
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and 



]_ 

1 



P - (u 0 , v 0 ) 



• if not, add x to said second value u t , 2 and 1 to said 
first value X 0 to calculate said halving as in the 
preceding operation . 

5. h method according to claim 1, where F 2 n is a 
finite body of 2 n elements, E(F 2 n ) is the sub-group of an 
elliptic curve E defined by: 

E(F") - {(x,y)e F' 1 X F " |y + xy = x' + ocx + P} u {0} a, |3 e F ' , p ^ 0 
and E[2 k ] is the set of points P of said elliptic curve 
such that P added 2 k times to itself gives the neutral 
element O, where k is an integer greater than or equal to 
1, characterized in that a point P = (x,y) of said 
elliptic curve represented by (x,A, p ) with X 9 = x + y/x 



gives by said halving the point 



P = (u 0 , v 0 ) of said 



elliptic curve represented by 

(u 0/ X 0 ) , with X Q = u 0 + v 0 /u 0 obtained by effecting the 
following operations: 

• seek for a first value X 0 such that A, 0 2 + X a = a + x 

• calculate a second value u Q 2 such that u Q 2 = x (X ;> + X }) + 
x + 1), 

• if k has the value 1, check if the equation X ' : + A = 
a 2 + u 0 2 has solutions in Fz n f 

• if so, calculate said halving as follows: 

r i "i 



and 



2 



P = (u 0 , X 0 ) 



• if not, add x to said second value u 0 " and 1 to said 
first value X 0 to calculate said halving as in the 
preceding operation ; 

• if k is greater than 1, perform the following iterative 
calculation : 

seek a value X± such that A + X x = a + u x -i 
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then calculate the value u a such that ui" = u x -i + 
+ Ua-i + 1) 

incrementing i from i = l until the value u 2 k _] is obtained 

• check if the equation X* + X, = + u^-i has solutions 
in F 2 n 

• if so, calculate said halving as follows: 



u 



and 



( u 0 , A, u ) 



• if not f add x to said second value u 0 2 and 1 to said 
first value X 0 to calculate said halving as in the 
preceding operation . 

6. A method according to any preceding claim, 
characterized in that it is a protocol for constructing a 
common key from two secret keys respectively belonging to 
the aforementioned two entities and a puDlic key 
consisting of a point P of odd order r of a chosen non- 
supersingular elliptic curve E. 

7. A method according to claim 6, characterized in 
that a and b are the secret keys of first and second 
entities, respectively, as known in the art, and: 

- the first entity calculates the scalar 
multiplication [a]P and sends the result point to the 
second entity, 

- the second entity calculates the scalar 
multiplication [b] P and sends the result point to the 
first entity, 

- the two entities respectively calculate a common 
point (C) = (x,y) of said elliptic curve (E) by 
respectively effecting the scalar multiplications [a] 
([b]P) and [b] ([a]P), both equal to [a.b]P, and 

- the two entities choose as their common key the 
coordinate (x) of said common point (C) obtained by said 
scalar multiplication [a.b]P, at least one of the 
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preceding scalar multiplications, and preferably all of 
them, being effected by means of predefined halvings. 

8. A method according to any of claims 1 to 5, 
characterized in that it is a signature protocol between 
two entities based on a pair of permanent keys belonging 
to the one of the entities, one secret (a) and the other 
public (Q) , resulting from the scalar multiplication of 
the secret key (a) by another public key consisting of a 
point (P) of odd order r of a chosen non-supersingular 
elliptic curve (E) . 

9. A method according to claim 8, characterized by 
the following operations: 

- the first entity (A) holding said pair of 
permanent keys constructs a single-use pair of keys, one 
key (g) being chosen arbitrarily and the other key [g] P 
resulting from scalar multiplication of said arbitrarily 
chosen key (g) by the public point P of said elliptic 
curve, the coordinates of the key ([g]P) being denoted 
(x,y) with 2 < g < r-2, 

- the first entity (A) converts the polynomial x of 
said single-use key [g]P = (x,y) into an integer i whose 
binary value is represented by the sequence of binary 
coefficients of said polynomial x, 

- said first entity (A) calculates a signature 
(c,d) of the message (M) as follows: 

c = i modulo r 

d = g" 1 (M + ac) modulo r, 

- said first entity sends said message (M) and said 
signature (c, d) to said second entity; on receiving it: 

- said second entity (B) checks if the elements of 
said signature (c,d) each belong to the range [1, r-1], 

- if not, it declares the signature invalid and 

stops 

- if so, said second entity (B) calculates three 
parameters : 
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h = cT modulo r 
h] = Mh modulo r 
h 2 = ch modulo r 

- said second entity calculates a point T of said 
elliptic curve by summing the scalar multiplications of 
the points P and Q by the last two parameters cited: 

T = [hx] P + [h 2 ] Q 

if the resultant point T is the neutral element, 
said second entity declares the signature invalid and 
stops ; 

if not, considering the point T with coordinates x f 
and y ' : T = (x 1 , y 1 ) , 

- said second entity (B) converts the polynomial x' 
of that point into an integer i' whose binary value is 
represented by the sequence of binary coefficients or 
said polynomial x', 

- said second entity (B) calculates c T = i' modulo 

r and, 

- checks if c 1 = c, in which case it validates said 
signature, or if not invalidates it, at least one 
aforementioned scalar multiplication operation and 
preferably all of them being effected by means of the 
predefined halvings . 

10. A method according to claim 7 or claim 9, 
characterized in that scalar multiplication using 
halvings is obtained by the following operations: 

- if said scalar of the multiplication is denoted 
S, choose m+1 values So... Sm e {0,1} to define S as 
follows : 



t = n A 2 J 

r being the aforementioned odd order and m being 
the single integer between log 2 (r) - 1 and log 2 (r), 

calculate the scalar multiplication [S]P of a point 
P of said elliptic curve by the scalar S by applying an 
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algorithm consisting of determining the series of points 
(Qm+i/ Qm— / Qi—f Qo) of said elliptic curve E such that: 

Qin+i = O (neutral element) 

1 



Qi = [SJP + 



? 



Q x + i with o < i < m 



calculate the last point Q D of said series giving 
the result [S]P of said scalar multiplication. 



ABSTRACT 

The invention concerns fast cryptographic method 
between two entities exchanging data via a non-secure 
communication channel. The method, for example for forming a 
common key between two entities (A, B) each having a secret key 
(a,b) and using a public key (P) formed by a point of an 
elliptic curve (E) , comprises at least a step which consists 
in multiplying said odd order point (P) by an integer and said 
phase comprises operations called additions and halving, the 
latter operation characterizing the invention. 
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FIG. 3 




calculate A 0 such that: X 0 2 


+ X Q = a + x 




calculate u 0 2 such that:u 0 2 


= X<^ + 1) + y! 




U 0 2 =U 0 2 + X 
=^o + 1 



1 



For i from 1 to k-1 calculate: 

• X f such that x ( 2 + X, = a + U h1 
. U, such that U) 2 = u M (X } + + Uh1 +1 ) 




1 



U 0 

Vo = U 0 (U 0 4- X 0 ) 
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FIG. 4 




calculate X 0 


such that: \ 0 2 


+ X Q = a + x 


* 


calculate u 0 2 


such that: u Q 2 


= x(X 0 + 1) + y 




k>l 



YES 



Uo 2 =U 0 2 + X 



For i from 1 to k-1 calculate: 

• X i such that: X , 2 + X| = a + Un 

• U| 2 such that Ui 2 = u M (Xj + X M + u M +1) 




NO 



u 0 = Vu 
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FIG. 5 




U 0 - V u o 2 

Vo = u 0 (u 0 + X Q ) 



r 
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FIG. 6 




calculate X 0 such that X Q 2 + X 0 = a + X 



i 



calculateu 0 2 such that:U 0 2 = X (A. 0 +X p + x + 1) 




k>1 



YES 



U 0 2 =u 0 2 + x 



For i from 1 to k-1 calculate: 

• A i such that: Ai 2 + X, = a + U;., 
.Ui such that: u, 2 = u M + Xm + Un +1) 
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